Half of employees fear repercussions from their organization if they report a security mistake, according to a report by ThinkCyber, based on a survey conducted at Infosecurity Europe 2024.
Just 51% of respondents said they believed most people across their business were focused on security, with 39% stating they felt only the executives and security teams were focused on this area.
The employee behaviors that cyber professionals are most concerned about were:
- Clicking on malicious links in phishing emails (53%)
- Sharing corporate data outside of the business (53%)
- Sharing usernames and passwords (51%)
Cyber Awareness Training Not Working Effectively
The report also highlighted significant concerns among cybersecurity professionals about the impact of security awareness training on changing employee behaviors.
A quarter of respondents said they doubted that their colleagues change their behavior as a result of current security awareness training, while 42% admitted that their organization is not able to even somewhat prove whether their current security awareness training is changing risky behaviors.
Around half (49%) also noted their business does not have a mechanism for identifying the user groups that are carrying out risky behaviors.
Additionally, close to two-thirds (60%) said that training is only provided every few months or even just once a year.
Read here: How to Change Security Behaviors Beyond Awareness Training
How to Improve Security Awareness Training
ThinkCyber highlighted the importance of targeted, contextualized training, ensuring it is relevant for individual employees.
Tim Ward, CEO at ThinkCyber, commented: “By intervening at the precise moment when a risky action is about to be taken, individuals are more likely to understand the specific dangers and consequences associated with their actions. This timely intervention ensures that the lesson is not abstract or theoretical but grounded in a real-world context, making it more impactful.”
The use of targeted interventions to change security behaviors is also advocated by CultureAI, who highlighted the emerging field of human risk management (HRM) to Infosecurity.
Ward added that organizations need to find ways to measure behavioral impact from training programs, which can also pinpoint which user groups require extra help.
Another finding from the survey was the need for organizations to deliver shorter, but more regular training segments. Over two-thirds (70%) of respondents said they want to keep their knowledge fresh, and that little and often works for them.